The WannaCry attack of 2017 was the first time that many people woke up to the danger inherent in software vulnerabilities. By taking advantage of flaws found in old versions of the Windows operating system, hackers were able to take control of large numbers of computers world wide and cause considerable disruption in the NHS and elsewhere.
Why are these vulnerabilities such a problem? It’s because they provide hackers with a point of entry to the system. If you think of it in terms of housebreaking, if the hacker is the burglar and the virus or trojan is the tool he uses to break in, then the vulnerability is the weak lock or partly open window that allows him to do so.
In order to defend their systems, therefore, businesses need to keep on top of vulnerabilities and keep their systems updated with the latest patches. The problem is the sheer volume that they need to deal with. Vulnerabilities occur not just in the Windows operating system, but in a whole range of other software too, so ensuring that everything is up to date is a major task.
Growing problem
Large organisations are dealing with more than 100 critical vulnerabilities every day, according to the findings of a new report. The study from cyber security specialist Tenable [1] reveals that Microsoft Office and Flash account for the majority of the flaws found in applications.
The company predicts that the number of vulnerabilities is expected to be up by 27 per cent this year compared with 2017. This presents system administrators with an ever harder task of prioritising which problems should be patched.
Among other findings are that average large businesses find 870 vulnerabilities every day spread across more than 900 different IT assets. However, only seven per cent of these have public exploits, making them the priority, so it’s difficult to prioritise which of the other 93 per cent needs attention first.
Interestingly, many hackers look to target older vulnerabilities in the hope that they may have been forgotten about and systems left unpatched. According to the Tenable report, out of the vulnerabilities seen in the largest number of businesses this year, many date back to 2015.
Types of attack
Vulnerabilities occur because of errors in coding which means that software responds to some requests in a way that allows the hacker in. One of the most common ways of doing this is via SQL injection. This exploits poorly configured websites and allows the hacker to access the underlying database. Web browser vulnerabilities, therefore, are among the highest priority for attention. Here again, the numbers are worrying – Firefox alone has had more than 100 vulnerabilities disclosed each year since 2009. [2]
Similarly, many programs used by both businesses and individuals rely on the Java development platform. This has vulnerabilities which hackers seek to exploit by getting people to download fake plug-ins or codecs which exploit the flaw to compromise the system. Since Java is often used in Android applications, this is a problem that affects huge numbers of systems.
Staying safe
Stopping your business from falling foul of this type of attack means being vigilant about keeping systems up to date. Increasingly, developers have introduced automated patching systems that ensure that Windows, for example, is automatically updated. This in itself can be a problem for business, however. Why? Because in some cases, applying a patch can create a problem. IT departments may, therefore, need to test patches before rolling them out to their end users.
There’s also the issue of older systems – WannaCry was largely spread via Windows XP systems that are no longer supported by their manufacturers. Businesses need to be aware as to when systems will fall out of support and take steps to upgrade them.
[1] https://www.tenable.com/cyber-exposure/vulnerability-intelligence
[2] https://www.cvedetails.com/product/3264/Mozilla-Firefox.html?vendor_id=452